Develop Reference

OWIN - clear invalid WSFederation cookies

I implemented an ASP.Net Web API 2 project with ADFS cookie authentication and hosted it on IIS. All works fine.
However, some clients have got old cookies which became invalid because of configuration changes. Such cookies cause following error when calling my API:
[CryptographicException: Key not valid for use in specified state.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +447
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +49
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +329
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +826
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +92
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +569
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +159
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
The obvious workaround is to clear the cookies. However, it's likely that I'll change the cookies configuration again in future, so I'd like to clear all invalid cookies automatically from the API.
I've tried adding a custom OWIN middleware and overriding IExceptionHandler.
Here's my WIF config:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://my.web-api.com" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="ADFS">
<keys>
<add thumbprint="--a thumbprint--" />
</keys>
<validIssuers>
<add name="http://my.adfs.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation issuer="https://my.adfs.com/adfs/ls" realm="https://my.web-api.com" requireHttps="true" passiveRedirectEnabled="false"
persistentCookiesOnPassiveRedirects="true" />
<cookieHandler name="my.cookie" path="/" persistentSessionLifetime="7.0:0:0" />
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectName" findValue="my.web-api.com" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
</federationConfiguration>
</system.identityModel.services>
Here's my Startup class:
public class Startup
{
public void Configuration(IAppBuilder appBuilder)
{
var config = new HttpConfiguration();
config.Services.Replace(typeof(IExceptionHandler), new CryptographicExceptionHandler());
WebApiConfig.Register(config);
appBuilder.UseWebApi(config);
appBuilder.Use<ClearInvalidCookiesMiddleware>();
}
}
No matter what's inside CryptographicExceptionHandler and ClearInvalidCookiesMiddleware, their code is not called and I'm getting 500 error. I also tried to move ClearInvalidCookiesMiddleware before UseWebApi.
My aim is to add Set-Cookie response header to clear invalid cookies and return 401 or a redirect.
How can I make OWIN to customize the response in this case?

The solution appeared to override SessionAuthenticationModule.OnAuthenticateRequest and call SignOut() in case of exceptions:
class ClearInvalidCookiesSessionAuthenticationModule : SessionAuthenticationModule
{
protected override void OnAuthenticateRequest(object sender, EventArgs eventArgs)
{
try
{
base.OnAuthenticateRequest(sender, eventArgs);
}
catch(InvalidOperationException ex) when (ex.InnerException is CryptographicException) // Invalid cookie signing key
{
SignOut();
}
catch(System.Xml.XmlException) // Invalid cookie structure
{
SignOut();
}
}
}
To use the inherited class instead of default one, one should insert following line inside Web.config:
<system.webServer>
<modules ...>
<!-- Insert the line below or replace existing SessionAuthenticationModule -->
<add name="SessionAuthenticationModule" preCondition="managedHandler"
type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
...
</modules>
...
</system.webServer>

How To Get Web API Attribute Routing Working

I have added a Web API feature to an ASP.NET MVC app and want to use attribute routing. When running the site in Visual Studio 2015, I can enter URLs in the browser address bar and get the methods on my controller to work. Once I move the site to IIS, all I get is 404 responses. I have tried many code changes with no luck.
The BuilderApiController file is in a WebAPI/v1/Controllers folder. Will attributes on the controller be found here?
namespace Hds.Edsi.WebAPI.V1.Controllers
{
[System.Web.Http.RoutePrefix("api/v1/builder")]
public class BuilderApiController : BaseApiController
{
[System.Web.Http.Route("GetExternalOrganizationID/{envisionOrgID}")]
[System.Web.Http.HttpGet]
public HttpResponseMessage GetExternalOrganizationID(string envisionOrgID)
{
WebApiConfig.cs file. Standard stuff. If I am using attribute routing, do I need the config.Routes.MapHttpRoute part? I have tried it with and without.
If I need it, what is the purpose of config.MapHttpAttributeRoutes()? When I look at GlobalConfiguration,Configuration._routes after Register is called, none of the attribute routing defined routes are there. Should they be?
namespace Hds.Edsi.WebAPI
{
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API routes
config.MapHttpAttributeRoutes();
/*
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/v1/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
*/
protected void Application_Start()
{
GlobalConfiguration.Configure(WebApiConfig.Register);
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configuration.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
GlobalConfiguration.Configuration.Formatters.JsonFormatter.SerializerSettings.Converters.Add(new StringEnumConverter());
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
Components.Automapper.CreateMaps();
// Requrired for managing AppDomain teardown - IRegisteredObject
MonitorManager.RegisterInstance();
}
IIS Express:
http://localhost:8181/api/v1/builder/GetExternalOrganizationID/123.123.123.123.1234 returns a JSON object as I would expect.
IIS:
http://my server/api/v1/builder/GetExternalOrganizationID/123.123.123.123.1234 returns a 404
I am guessing that I am missing something simple here or don't understand how attribute routing works.
Added
Here is the system.webServer section from web.config:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
</handlers>
</system.webServer>

As per as i know, if it's not working properly on your IIS, then that is an IIS error, not an ASP.NET error so this doesn’t actually come from ASP.NET’s routing engine but from IIS’s handling of expressionless URLs.
You can try with adding runAllManagedModulesForAllRequests to your web.config
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ScriptCompressionModule" type="Westwind.Web.ScriptCompressionModule,Westwind.Web" />
</modules>
</system.webServer>
In detail you can refer Rick Strahl's Web Log ASP.NET Routing not working on IIS 7.0
Hope this helps!

Using the setAllowedFields() method in Spring

I'm using Spring 3.2.0. I have registered a few custom property editors for some basic needs as follows.
import editors.DateTimeEditor;
import editors.StrictNumberFormatEditor;
import java.math.RoundingMode;
import java.net.URL;
import java.text.DecimalFormat;
import java.text.NumberFormat;
import org.joda.time.DateTime;
import org.springframework.beans.propertyeditors.StringTrimmerEditor;
import org.springframework.beans.propertyeditors.URLEditor;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.context.request.WebRequest;
#ControllerAdvice
public final class GlobalDataBinder
{
#InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setIgnoreInvalidFields(true);
binder.setIgnoreUnknownFields(true);
//binder.setAllowedFields(someArray);
NumberFormat numberFormat=DecimalFormat.getInstance();
numberFormat.setGroupingUsed(false);
numberFormat.setMaximumFractionDigits(2);
numberFormat.setRoundingMode(RoundingMode.HALF_UP);
binder.registerCustomEditor(DateTime.class, new DateTimeEditor("MM/dd/yyyy HH:mm:ss", true));
binder.registerCustomEditor(Double.class, new StrictNumberFormatEditor(Double.class, numberFormat, true));
binder.registerCustomEditor(String.class, new StringTrimmerEditor(true));
binder.registerCustomEditor(URL.class, new URLEditor());
}
}
I have this many editors registered so far. Two of them DateTimeEditor and StrictNumberFormatEditor have been customized by overriding respective methods to fulfill custom needs of number format and Joda-Time.
Since I'm using Spring 3.2.0, I can take advantage of #ControllerAdvice.
Spring recommends to list a set of allowed fields with the setAllowedFields() method so that malicious users can not inject values into bound objects.
From the docs about DataBinder
Binder that allows for setting property values onto a target object,
including support for validation and binding result analysis. The
binding process can be customized through specifying allowed fields,
required fields, custom editors, etc.
Note that there are potential security implications in failing to set
an array of allowed fields. In the case of HTTP form POST data for
example, malicious clients can attempt to subvert an application by
supplying values for fields or properties that do not exist on the
form. In some cases this could lead to illegal data being set on
command objects or their nested objects. For this reason, it is highly
recommended to specify the allowedFields property on the DataBinder.
I have a big application and obviously there are thousands of fields. Specifying and listing all of them with the setAllowedFields() is a tedious job. Additionally, somehow I need to remember them.
Changing a web page to remove some fields or add additional fields as the need arises again requires to modify the parameter value of the setAllowedFields() method to reflect those changes.
Is there any alternative to this?

Instead of using setAllowedFields() to white-list, you can use setDisallowedFields() to black-list. For example, from the petclinic sample application:
#InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
dataBinder.setDisallowedFields("id");
}
From a pure security standpoint white-listing is preferred to black-listing, but it maybe help ease the burden some.

setAllowedFields() is very handy when using entity objects directly in web layer. Alternatively, one could use dedicated data transfer objects (DTO), from which entity objects are constructed in the service layer. Not only can the factories be re-used, but also used outside the web context, e.g. for asynchronous messages. Besides, DTO inheritance doesn't have to follow entity inheritance, so you are free to design the DTO hierarchy according to the needs of the use-cases.

from http://static.springsource.org/spring-webflow/docs/2.0.x/reference/htmlsingle/spring-webflow-reference.html#view-model
4.9. Specifying bindings explicitly
Use the binder element to configure the exact set of model bindings usable by the view. This is particularly useful in a Spring MVC environment for restricting the set of "allowed fields" per view.
<view-state id="enterBookingDetails" model="booking">
<binder>
<binding property="creditCard" />
<binding property="creditCardName" />
<binding property="creditCardExpiryMonth" />
<binding property="creditCardExpiryYear" />
</binder>
<transition on="proceed" to="reviewBooking" />
<transition on="cancel" to="cancel" bind="false" />
</view-state>
If the binder element is not specified, all public properties of the model are eligible for binding by the view. With the binder element specified, only the explicitly configured bindings are allowed.
Each binding may also apply a converter to format the model property value for display in a custom manner. If no converter is specified, the default converter for the model property's type will be used.
<view-state id="enterBookingDetails" model="booking">
<binder>
<binding property="checkinDate" converter="shortDate" />
<binding property="checkoutDate" converter="shortDate" />
<binding property="creditCard" />
<binding property="creditCardName" />
<binding property="creditCardExpiryMonth" />
<binding property="creditCardExpiryYear" />
</binder>
<transition on="proceed" to="reviewBooking" />
<transition on="cancel" to="cancel" bind="false" />
</view-state>
In the example above, the shortDate converter is bound to the checkinDate and checkoutDate properties. Custom converters may be registered with the application's ConversionService.
Each binding may also apply a required check that will generate a validation error if the user provided value is null on form postback:
<view-state id="enterBookingDetails" model="booking">
<binder>
<binding property="checkinDate" converter="shortDate" required="true" />
<binding property="checkoutDate" converter="shortDate" required="true" />
<binding property="creditCard" required="true" />
<binding property="creditCardName" required="true" />
<binding property="creditCardExpiryMonth" required="true" />
<binding property="creditCardExpiryYear" required="true" />
</binder>
<transition on="proceed" to="reviewBooking">
<transition on="cancel" to="bookingCancelled" bind="false" />
</view-state>
In the example above, all of the bindings are required. If one or more blank input values are bound, validation errors will be generated and the view will re-render with those errors.

A solution to use binder with DTO (companydata in example) in case most of the form input values should be converted to null if empty, but there is a need to add few exceptions (setDisallowedFields didn't work for me).
#InitBinder()
public void initBinder(WebDataBinder binder) {
binder.registerCustomEditor(String.class, new StringTrimmerEditor(true));
}
#InitBinder
protected void initBinder(HttpServletRequest request, ServletRequestDataBinder binder) {
binder.registerCustomEditor(String.class, "companydata.companyName", new StringTrimmerEditor(false));
binder.registerCustomEditor(String.class, "companydata.companyNumber", new StringTrimmerEditor(false));
}

UserPrincipal.Current returns apppool on IIS

I need to find who is the current user and check their groups in an active directory setup (windows server 2008) to see if they have permission to access certain pages (admin) on the mvc3 site I am constructing. However, whenever I create a PrincipalContext and query the current user, it returns the apppool the site is running under.
Ive tried:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal currentuser = UserPrincipal.Current;
string username = currentuser.DisplayName;
and
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "domain", "CN=dbcn LDAP,OU=the - account,DC=thedc,DC=local", "domain\\user", "password");
UserPrincipal currentuser = UserPrincipal.Current;
string username = currentuser.DisplayName;
Web.config looks like:
<configuration>
<appSettings>
<add key="webpages:Version" value="1.0.0.0" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<authentication mode="Windows" />
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="service" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<identity impersonate="false" />
<connectionStrings>
<add name="foocontext" connectionString="data source=foo;Initial Catalog=foo;Integrated Security=SSPI;MultipleActiveResultSets=true;" providerName="System.Data.SqlClient" />
<add name="ADService" connectionString="LDAP://foo.local/OU=the - service,DC=foo,DC=local" />
</connectionStrings>
</configuration>
Ive tried instantiating the context with two different accounts (and with no account specified), one of them the ldap account the IT admin uses for queries. What am I missing here? Why does it always return the apppool as the current user? How can I get the current logged in user.
Thanks!

HttpContext.User is what you want...
In ASP.NET, the security context of a user that is authenticated with Windows authentication is represented by the WindowsPrincipal and WindowsIdentity classes. ASP.NET applications that use Windows authentication can access the WindowsPrincipal class through the HttpContext.User property.
To retrieve the security context of the Windows authenticated user that initiated the current request, use the following code:
using System.Security.Principal;
...
// Obtain the authenticated user's Identity
WindowsPrincipal winPrincipal = (WindowsPrincipal)HttpContext.Current.User;
Asp.Net Windows Auth

This is what worked for me after some searching
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, User.Identity.Name);

Custom Membership Provider Error

I have a custom asp.net membership class I am building where I have a helper function that the
GetUser() method uses to convert the values from my database into a System.Web.Security.MembershipUser object.
private MembershipUser _converToMembershipUser(MembershipDBModel member)
{
System.Web.Security.MembershipUser membershipUser = new System.Web.Security.MembershipUser(
this.Name,
member.UserName,
member.UserID.ToString(),
member.Email,
member.PasswordQuestion,
member.Comment,
member.IsApproved,
member.IsLockedOut,
member.CreationDate,
member.LastLoginDate,
member.LastActivityDate,
member.LastPasswordChangedDate,
member.LastLockedOutDate);
return membershipUser;
}
This is the error that I keep getting when the above method is being called. I have not idea how to get around this so any suggestion is very welcome.
System.IO.FileLoadException was caught
Message=The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
Source=System.Web
StackTrace:
at System.Web.Security.Membership.Initialize()
at System.Web.Security.MembershipAdapter.get_Providers()
at System.Web.Security.MembershipUser..ctor(String providerName, String name, Object providerUserKey, String email, String passwordQuestion, String comment, Boolean isApproved, Boolean isLockedOut, DateTime creationDate, DateTime lastLoginDate, DateTime lastActivityDate, DateTime lastPasswordChangedDate, DateTime lastLockoutDate)
at TMTechMembershipProvider.MembershipProvider._converToMembershipUser(MembershipDBModel member) in d:\Visual Studio 2010\Projects\TMTechMembershipProvider\TMTechMembershipProvider\TMTechMembershipProvider.cs:line 1005
at TMTechMembershipProvider.MembershipProvider.GetUser(String username) in d:\Visual Studio 2010\Projects\TMTechMembershipProvider\TMTechMembershipProvider\TMTechMembershipProvider.cs:line 965
at TMTechMembershipProvider.MembershipProvider.CreateUser(String username, String password, String email, String passwordQuestion, String passwordAnswer, Boolean isApproved, Object providerUserKey, MembershipCreateStatus& status) in d:\Visual Studio 2010\Projects\TMTechMembershipProvider\TMTechMembershipProvider\TMTechMembershipProvider.cs:line 435
InnerException:
System.Web.Security.MembershipAdapter.get_Providers() Initialize() The given assembly name or codebase was invalid.
config file
<?xml version="1.0"?>
<configuration>
<appSettings></appSettings>
<connectionStrings>
<add name="MembershipDBContext" providerName="System.Data.SqlServerCe.4.0" connectionString="data source=MembershipDBContext.sdf"/>
</connectionStrings>
<system.web>
<membership>
<providers>
<!--<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider" type="TMTechMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=cbae438f5bab0724" connectionStringName="MembershipDBContext" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="MyUnitTests" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>-->
<clear/>
<!--<add name="TMTechMembershipProvider.MembershipProvider" type="TMTechMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=cbae438f5bab0724" connectionStringName="MembershipDBContext" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="MyUnitTests" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>-->
<add name="TMTechMembershipProvider"
type="TMTechMembershipProvider.TempMembershipProvider"
connectionStringName="MembershipDBContext"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="MyUnitTests"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
<machineKey validationKey="EAA358B778400490DE16A414AC2144C740874D426214CA81D8265354535ACCA9C0238D5C20021D4335DBE1171F31C02F0AB8ADD5B1EE2A6E07CC768F04B20F30" decryptionKey="AF622C5C9796D67DEB876483F1341E3708CA056B1EB031CEAD6FD7CBD0F13A50" validation="SHA1" decryption="AES"/>
</system.web>
<!--<system.web>
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
</system.web>-->
<startup>
<!--<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>-->
</startup>
</configuration>

Error: "The given assembly name or codebase was invalid"
Your type attribute:
type="TMTechMembershipProvider.TempMembershipProvider"
Your type attribute in your commented line:
type="TMTechMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=cbae438f5bab0724"
Your comment:
i tend to agree but this is needle in haystack. This is what I thought the Fusion Log Viewer was for to help identify what is failing to load.
sry, but lol :)
Update 1: re the comment:
Just found it funny, couldn't resist. Meant no harm and was not imply anything with it, we've all been there.
Now on a more serious note, it still seems an issue with specifically that line.
Let's compare it with the type line of the asp.net provider:
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
[Provider class (including the namespace)], [dll], [Version], ...
It seems you are missing either the class or the dll. Hoping that solves it, good luck.

This is not likely to be a code issue, it is a dll reference issue.
You need to carefully review any "type", "assembly", or "publicKeyToken" xml attributes in your web.config. The most likely cause is that you've mis-copied the public key token for an assembly. I would start by checking anywhere you've referenced the System.Web assembly and make sure that the public key token is exactly right and that there are no mispellings in any type names.
In particular, check the type attribute in the add element under the provider and membership element in your web.config. Also, if the custom membership class is implemented in a separate dll, be certain that you are actually referencing the correct version of the System.Web assembly from that dll.